Re: [webauthn] Support for raw cryptographic signatures (#1611)

This appears to be a duplicate of #1595 and #1608.

A raw signature provides integrity but does not provide the guarantees necessary for authentication. The purpose of the public key credentials is exclusively about providing information about the associated authentication event handled by the hardware. It is highly unlikely the same key pair would be allowed to be used to sign arbitrary messages, as this would allow interception of requests and forgery of authentication responses. 

Putting this aside, authenticator implementations today would also not support this extension, leaving compatibility to a subset of future platform versions and hardware - possibly subsetted further by the tendency of such distributed systems to use more exotic cryptography primitives.

In addition, there are no guarantees about the permanence of Web Authentication public key credentials by authenticators. A platform authenticator may theoretically be backed by local storage, with the same removal policy as a non-exportable WebCrypto key in javascript.

GitHub Notification of comment by dwaite
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Wednesday, 12 May 2021 09:19:56 UTC